Third-Party CNOT Attack on MDI QKD 
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In this letter, we concentrate on the very recently proposed Measurement Device Independent 
Quantum Key Distribution (MDI QKD) protocol by Lo, Curty and Qi (PRL, 2012). We study 
how one can suitably present an eavesdropping strategy on MDI QKD, that is in the direction of 
the fundamental CNOT attack on BB84 protocol, though our approach is quite different. In this 
strategy, Eve will be able to know expected half of the secret bits communicated between Alice 
and Bob with certainty (probability 1) without introducing any error. Further, for the remaining 
bits, where Eve will only be able to predict the bit values as in random guess (with probability 
|), she will certainly find out whether her interaction induced an error in the secret bits between 
the communicating parties. Given the asymmetric nature of the CNOT attack, we also introduce 
Hadamard gates to present a symmetric version. Though our analysis does not refute the security 
claims in MDI QKD, adapting the CNOT attack in this scenario requires nontrivial approach using 
entanglement swapping. 
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I. INTRODUCTION 

The idea of quantum key distribution was introduced 
by Bennet and Brassard, that is famous as the BB84 
protocol [HQ. Against BB84 0, one of the most funda- 
mental attack in this area is known as the CNOT attack 
that uses a CNOT gate. In this case, Eve can obtain 
complete information for the qubits sent in Z basis with- 
out creating any disturbance. However, for the qubits 
sent in X basis, Eve can not have any advantage and it 
also induces a disturbance as high as \. 

There are several variants of the traditional BB84 pro- 
tocol that received attention in literature. The very re- 
cent proposals [3, 4] arc motivated from resistance against 
side channel attacks where they allow an untrusted party 
in the protocol. In particular, to resist detector side chan- 
nel attacks, measurement device independent quantum 
key distribution idea has been presented in Q. We will 
show how the fundamental idea of CNOT attack can be 
suitably modified to be accommodated in this scenario. 
As this proposal is very recent, to the best of our knowl- 
edge, such attack has not yet been studied. The CNOT 
attack is inherently asymmetric. Thus, we exploit the 
Hadamard gate towards a symmetric version of this at- 
tack. 

In MDI QKD [4j , Alice and Bob need not measure any 
qubit, and all the measurements are executed at Eve's 
end, an untrusted third-party. Thus, for eavesdropping 
strategies, it is natural to consider that Eve herself will 
try to gather information about the secret key while as- 
sisting Alice and Bob. That is why, this attack can be 
termed as third-party attack. While the idea of [|| uses 
entanglement swapping Q for building the protocol, it 
is interesting to note that we exploit this for third-party 
CNOT attack against MDI QKD Q. The application of 



entanglement swapping is evident in such protocols (ei- 
ther in design or in analysis) due to the involvement of 
the third-party. 

Let us now present a few notations that we will be us- 
ing. By BERab we denote the Bit Error Rate for the key 
bits between Alice and Bob. By Pg, we denote the Suc- 
cess Probability of Eve in correctly guessing the bit that 
Alice sent to Bob in form of a qubit. The eavesdropping 
technique (that we present here) considers that Eve will 
either get the complete information about the bit, i.e., 
Pe = 1 or she will have no information at all other than 
the random guess, i.e., Pe = h- However, in the second 
case, Eve will have some other kind of information as fol- 
lows. By 7Te, we denote the success probability of Eve in 
correctly guessing whether an error gets introduced dur- 
ing the communication between Alice and Bob. That is, 
in this case, Eve may not have any knowledge about the 
value of the bit, but she exactly knows whether an error 
has occurred or not during the communication between 
Alice and Bob, i.e., tte = 1. 



II. CNOT ATTACK ON MDI QKD [4] 

To understand this algorithm, we use Bell states. 
These are two-qubit entangled states that can form or- 
thogonal basis. The four Bell states can be written as 
1^) = ^[|00) ± |11)], I**) = ^[|01) ± |10)]. The 
untrusted third-party Eve measures the states received 
from Alice and Bob in this basis and informs the mea- 
surement result back to them. For eavesdropping pur- 
poses, we will also study some other measurements by 
Eve on the qubits through which she will interact with 
the qubits sent by Alice and Bob. For such purposes, 
based on the public discussion between Alice and Bob, 
Eve will either measure in Bell basis or in computational 
basis, i.e., |00), |01), |10), |11). Before proceeding further, 
let us first explain MDI QKD 0]. 

1. Alice and Bob create random bit strings at their 
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ends and encodes the bits in either Z or X basis 
randomly and send those to Eve. 

2. Eve receives each pair of qubits (one from Alice and 
one from Bob) and measures them in Bell basis. 
The detection results are publicly announced. 

3. For the cases where the basis of Bob and Alice 
match 

(a) if the qubits of Alice and Bob are in Z basis 
and the measurement results at Eve are | v I /± ), 
one of Alice or Bob has to flip the bit ; 

(b) if the qubits of Alice and Bob are in X basis 
and the measurement result at Eve is \^~) or 
|$~), one of Alice or Bob has to flip the bit; 

4. Information reconciliation (using error correcting 
codes) and privacy amplification are performed by 
Alice and Bob on the remaining n bits (let us call 
that the raw key) to obtain m shared key bits (final 
key). 

In the actual implementation, Eve can identify only two 
(|^ )) of the four Bell states and that is claimed to be 
enough for the security proof to go through Our 
analysis will also go through in a similar manner in such 
a scenario. 

We present the following table for understanding all 
the cases. When Alice and Bob generate qubits in dif- 
ferent bases then those pairs of qubits arc discarded and 
thus this is not shown in the table. 



Qubits sent by 


Probability (Eve 


's end) 


Flip 


Alice 


Bob 


|$+} 


|$-) 








10} 


10} 


l 

2 


1 

2 








No 


10) 


11} 








1 

2 


i 

2 


Yes 


11) 


10} 








1 

2 


1 

2 


Yes 


11} 


11} 


1 

2 


1 

2 








No 


1+) 


1+} 


1 

2 





1 

2 





No 


1+) 


1-} 





1 

2 





1 

2 


Yes 


I-) 


1+} 





1 

2 





1 

2 


Yes 


I-) 


1-} 


1 

2 





1 

2 





No 



A. The CNOT attack 

The eavesdropping model in this case is as follows, 
where the untrusted third-party Eve will try to obtain 
the information. Eve will take the qubits from Alice and 
Bob and put each one of them in the control input of a 
CNOT gate and she will supply |0) in the target. The 
outputs corresponding to the control qubits of the CNOT 
gates will be measured in the Bell basis by Eve and the 
result will be communicated to Alice and Bob. Eve stores 
the output corresponding to the target in her quantum 
memory. Then Alice and Bob will go for public discus- 
sion to announce their bases. Knowing these, Eve will try 



to extract information from the outputs corresponding to 
the target qubits of the CNOT gates. 

Consider that both Bob and Alice communicated in 
Z basis. In such a case, Eve will be able to copy these 
perfectly using CNOT gates without creating any distur- 
bance to the qubits sent by Alice and Bob. If the mea- 
surement output at Eve is |<f )± ), then the bits of Alice 
and Bob match. Similarly, if the measurement output 
at Eve is | , 3 /± ), then the bits of Alice and Bob do not 
match and one of them needs to toggle his/her bit. Thus 
in this case, Eve will obtain all the information without 
creating any disturbance. Note that, in this case, Eve 
will measure her target qubit in computational basis, i.e., 
|00),|01),|10),|11). 

When Bob and Alice communicate in X basis, then 
error is introduced by the CNOT attack and the situa- 
tion can be seen as an example of entanglement swap- 
ping [f| . Let us explain one specific case here. The other 
cases will be similar. Consider that Alice and Bob both 
send |+). Thus, after the application of CNOT gates by 

Eve, there will be entangled states |0a ° Ei> J1 1a1ei> and 
\0 b 0e 2 )+U-b1e 2 ) correS p 0nc ij n g to Alice and Bob respec- 
tively. Now the qubits corresponding to Alice and Bob 
will be measured in Bell basis. One can see that 

{ \0a0e 1 ) + \1aIe 1 ) \ _ f \0 B 0E 2 ) + \IbIe 2 ) \ 

{ 71 ) 65 1 71 ) 

can be written as |(|^ B )|^ lB2 ) + 1*^}!*^) + 

\*ab)\* Ei e 2 ) + \*ab)\*e iE2 ))- 

The correct measurement in this case is |$j[ B ) or 
I^Jib) that happens with probability \ and in such a case 
after the bases of Alice and Bob are published, Eve will 
measure either B ,) or \^ ElE ^) and she will be able 
to know that no error has been introduced. However, if 
the measurement result becomes \^ ElE ) or \^ ElE2 ) (this 
happens with probability ^ too), then Eve knows that 
an error has been introduced, and she will not be able to 
know the secret bit. Similarly, we can analyse the other 
cases and get the following as in Table H After Bob and 
Alice publicly declares their bases, if that is Z, then Eve 
obtains all the information without introducing any error 
by measuring in computational basis |00), |01), |10), |11). 
If the basis is X, then Eve's interaction introduces error 
at the rate of ^, but Eve does not obtain any informa- 
tion about the secret bits. In these cases, if Eve measures 
\^~e ± e 2 ) or \^~E!E 2 ) then she knows that no disturbance 
has been introduced. If Eve measures \& EE ) or \^e 1 e 2 ) 
then she understands that error has been introduced, i.e., 
Bob and Alice will land into a complement bit value at 
this location of the secret key. To summarize, we have 
the following situation. 
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FIG. 1: CNOT attack on MDI QKD 
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TABLE I: State with Eve after the CNOT attack. 



B. The symmetric version 

As we have seen in the previous section, the third-party 
CNOT attack docs not introduce any error in Z basis, 
but induces errors in half of the cases in X basis. Thus 
this eavesdropping scenario is asymmetric. To provide a 
symmetric scenario, wc make the following modification. 

Let H be the Hadamard gate, I be the identity gate 
(both works on a single qubit) and C be the CNOT gate 
(that works on two qubits). Let us define 

P U = {H® I) U C{H <g) I) u for u = 0, 1, 

I)C(H ® I). One can check 



i.e., P = C and P 1 = (H 
that 

Po(|00)) = |00), 
^o(|+0» = ^±Hj^ 

p i( |oo» = ^±Li^, 



*MI + o» 



0), 



Pb(|10» = |11>, 
Po(| - 0» = ^>±j^ 
^(|10» = J2=$p, 
Pi(|-0)) = |-1). 



Eve applies either P or Pi based on the outcome of an 
unbiased coin toss. The case of applying Po (CNOT) 
for each of Bob and Alice has been described in previous 
section. 

In case, P\ is applied, and both Bob and Alice com- 
municate in X basis then Eve will be able to obtain the 
secret bits completely without creating any disturbance 
by measuring her target qubits in computational basis 
|00),|01),|10),|11). 

However, if Alice and Bob communicate in Z basis 
and Pi is applied, then Eve will only be able to predict 
the secret bit as in the case of random guess (i.e., with 
probability |), though she will be able to exactly identify 
whether error has been introduced. This case is similar 
to the one where Alice and Bob communicate in X basis 
and Pq, i.e., CNOT is applied. The different cases are 



explained as follows in Table [II] Thus, when Po and Pi 
are used randomly with probability ^ in each case, we 
have the following outcomes. 
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The complete algorithm for Hadamard assisted CNOT 
attack is as follows. 

1. Eve applies either Po or Pi on the qubits \ha) and 
| i-i b) (communicated by Alice and Bob to Eve) and 
|0) (ancilla supplied by Eve) for both the cases. 

2. The two-qubit state (outputs corresponding to 
|a*a))|a*s)) i s measured in Bell basis and the re- 
sult is communicated to Alice and Bob. Further, 
both the outputs corresponding to the |0) qubits 
(the target ones) are kept with Eve. 

3. After the public discussion between Alice and Bob, 
Eve comes to know about the cases where Alice 
and Bob communicated in the same basis. The 
cases where Bob and Alice communicated in differ- 
ent bases are in any case discarded. 

4. If Alice and Bob both communicated qubits in Z 
(respectively X) basis and Eve applied Po (respec- 
tively Pi), then Eve obtains the corresponding se- 
cret bit correctly without introducing any error by 
measuring the pair of qubits in computational ba- 
sis. 
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FIG. 2: Hadamard assisted CNOT attack on MDI QKD 
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TABLE II: State with Eve after the Hadamard assisted CNOT attack. 



5. If Alice and Bob both communicated qubits in Z 
(respectively X) basis and Eve applied P 1 (respec- 
tively Pq), then Eve can only guess about the com- 
municated bit with probability i (i.e., no informa- 
tion better than the random guess) inducing a bit 
error with probability | . 

In such cases, Eve measures her qubits in Bell ba- 
sis and if the measurement output is \& E Eo ) or 

1*^,) (respectively 1*^,) or I*b 1 b 2 )) then Eve 
knows that error has not been (respectively has 
been) introduced in the communication. 

As Alice and Bob settle on either Z or X basis equally 
likely, and Eve also applies Pq or P\ based on the outcome 
of an unbiased coin, the error rate in both Z and X basis 
will be equal. Thus the attack is a symmetric one. On 
an average, BERab = \, Pe = f and w E = 1. 

Moreover, the eavesdropping by Eve may be induced 
in a portion of the communicated bits instead of all, say a 
proportion £. This is due to the fact that if Alice and Bob 
notice a channel noise more than some threshold value, 
then they will abort the protocol. In such a case, Eve 
will be able to guess expected | proportion of bits with 
probability 1. For the remaining bits, though she will 



not gain anything other than the random guess, she will 
be able to know whether error has been induced during 
the communication between Alice and Bob. Thus, on an 
average, BERab = j, Pe — x anci ^e = C Due to the 
symmetric nature of this eavesdropping strategy, Alice 
and Bob would not be able to distinguish this eavesdrop- 
ping from channel noise. 



III. CONCLUSION 

In this letter, we have considered how CNOT kind of 
attack can be mounted on a recently proposed variant 
of BB84, which is referred as Measurement Device Inde- 
pendent Quantum Key Distribution (MDI QKD) proto- 
col [I[ . Though our analysis is in the direction of CNOT 
attack on BB84 0, it requires a different approach by the 
third-party to execute the attack exploiting entanglement 
swapping. Through this kind of eavesdropping, Eve will 
exactly obtain around half of the secret bits communi- 
cated between Alice and Bob. For the rest of the bits, 
Eve will only be able to predict the bit values as in ran- 
dom guess. However, she will certainly find out whether 
her interaction induced an error between Alice and Bob. 
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